Author: Chris Woollard

Introduction

This configuration is a bit of a moving target, and will likely change in future as security changes.

This is a fairly simple process. Configure all the steps and you will get an A+ rating with 100% score for Certificate, Protocol Support, Key Exchange & Cipher Strength.

This configuration is known to work on Ubuntu 16.04 LTS, but it should work on other setups providing you have the right software versions. Please note that the configuration of DH / ECDH requires at least Apache 2.4.8+ with OpenSSL 1.0.2+.

This set of instructions also assumes that you have a working SSL configuration with the proper CA signed certificate of 4096 bit RSA.

** Please backup your configuration before you make changes. Just in case **

Configure Secure Cipher Suites

Edit /etc/apache2/mods-enabled/ssl.conf

Modify the “CipherSuites” parameter to disable all Cipher Suites that are not 256 bit or above.

SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"

Configure SSL / TLS Protocols

Also in /etc/apache2/mods-enabled/ssl.conf

Ensure that only TLS 1.2 is enabled. All modern web browsers support this, including Internet Explorer 11 on Windows 7+, Safari 7+, Firefox, Google Chrome. On Mobile, Android 4.4+ and IOS 6+

SSLProtocol TLSv1.2

Configure DH / ECDH Parameters

This section is specific to Apache 2.4.8+ with OpenSSL 1.0.2+.

Generate 4096-bit Diffie-Hellman parameters. This could take anywhere from 10 minutes to several hours. It really depends on the speed of the computer it runs on.

openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096

Then add the following configuration to your Apache SSL configuration VirtualHost. By default this would be in /etc/apache2/sites-enabled/default-ssl.conf.

SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"

Next, add the configuration parameters for the Elliptic Curve Ciphers. By default, a 256-bit Curve is used, but this isn’t secure enough if you are going for the 100% rating on SSLLabs.com. These options raise the minimum to 384 bits.

Enable OCSP Stapling

OCSP Stapling allows the web server to cache the Certificate Revocation Status of the Certificate. It takes the burden of checking away from the client. For more information check https://en.wikipedia.org/wiki/OCSP_stapling

Edit /etc/apache2/mods-enabled/ssl.conf. Add the below options.

SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

Enable HTTP Strict Transport Security (HSTS)

Enable the Apache Headers Module

a2enmod headers

Add the following to your HTTPS Virtual Host directive in /etc/apache2/sites-enabled/default-ssl.conf.

Like this:

There are a couple of new technologies that are becoming more widely used that you may what to think about using. I have written a couple of pages explaining what they are and how to use them. They are definitely worth a look if you are a web server administrator.

David Cameron the UK Prime Minister has stated in an event in the East Midlands that new online data laws are required to remove the safe places that Terrorists communicate with each other. He also stated that he would push this if re-elected as Prime Minister.

One particular statement is of concern to me. David Cameron said, “There should be no means of communication which we cannot read”. This statement worries me. It implies that the use of encryption will be restricted in some way. Maybe by restricting the levels of encryption is use or by inserting backdoors into software or hardware. Can you imagine the notion of a backdoor? This means intentionally adding an alternative way of gaining access. What if the bad guys found this too.

On one hand I am patriotic and want to make sure that the police and security services can do their job. Mainly to protect me and my family from terrorists and other criminals. On the other hand I am a security professional and understand the continual and ongoing threat from criminals that try to attack and abscond with our data, or worse in some cases.

Because of this I want to make sure that my data and the services that I use are protected in the best ways possible. This is an ongoing struggle, and something that needs to evolve as time goes on.

An example of this is the recent issues with OpenSSL (Poodle & Heartbleed). I have had to make various changes to the security settings I use of the past year. If my Government had mandated that I need to use a maximum of SSLv3, then suddenly I would have a problem. I could not go to TLSv1.0 because I would be breaking the law, and I could not stay with SSLv3 because my data would be at risk. The nature of politics does not allow for law changes over night. Suddenly I am between a rock and a hard place. What do you do?

I would like to draw your attention to Moore’s Law, that stated “Computing performance doubles every 18 months”. Computing is by its very nature dynamic. Put simply… Things can change very quickly, in sometimes unpredictable ways. I truly hope that the people in power that make these kinds of laws recognise that.

The last thing I would like to draw your attention too, is Edward Snowden. He recognised that the American government had too much power and that this needed reigning in, so they are held accountable for their actions . We need the same in the UK. We need to make sure that our government is held responsible for their actions and that they are not allowed to do anything stupid.

In closing, terrorists and criminals are clever. What is to stop them from using services outside the UK without restricting our right to a free and open Internet?

*Update 14th January 2015 @ 07:55

Since I wrote this The European Union Agency for Network and Information Security (ENISA) has published a report stating at more security and encryption and privacy is needed, not less.

As of writing it has 91% of the funding required ($35,350 out of $39,000). So not far to go, but only 4 days to go.

If you have any interest in the Raspberry Pi then this project would make a great investment, especially as it is the only case I have found that is designed specifically to house a 2.5″ HDD. It would be particularly useful for a home media server.

In addition, all the major Certificate Authorities (CA) have started providing customers information specific to their services. So if you have certificates already, then contact your CA for further migration help.